In a recent cyber espionage campaign, Russian aerospace and defense industries have been targeted through the deployment of a sophisticated backdoor known as EAGLET. This operation, identified as Operation CargoTalon, has been attributed to a threat cluster designated UNG0901 (Unknown Group 901).
The attack primarily focuses on employees of the Voronezh Aircraft Production Association (VASO), a significant entity in Russia’s aircraft manufacturing sector. The perpetrators utilize товарно-транспортная накладная (TTN) documents, which are crucial in Russian logistics operations, as bait to lure victims.
Attack Methodology:
The campaign initiates with spear-phishing emails that carry cargo delivery-themed lures. These emails contain a ZIP archive housing a Windows shortcut (LNK) file. When executed, this LNK file employs PowerShell to display a decoy Microsoft Excel document while simultaneously deploying the EAGLET DLL implant onto the victim’s system.
The decoy document references Obltransterminal, a Russian railway container terminal operator that was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in February 2024.
EAGLET Backdoor Capabilities:
Once installed, EAGLET gathers system information and establishes a connection to a hard-coded remote server at 185.225.17[.]104. It processes HTTP responses from this server to extract commands for execution on the compromised Windows machine. The backdoor supports shell access and facilitates file upload/download operations. However, the specific nature of subsequent payloads delivered through this method remains unknown, as the command-and-control (C2) server is currently offline.
Broader Implications:
Further investigations have revealed similar campaigns targeting the Russian military sector with the EAGLET backdoor. Notably, there are overlaps in source code and targeting strategies with another threat cluster known as Head Mare, which also focuses on Russian entities. Functional parallels exist between EAGLET and PhantomDL, a Go-based backdoor featuring shell and file transfer capabilities. Additionally, similarities in the naming conventions of phishing message attachments have been observed.
Contextual Background:
This disclosure emerges amidst ongoing cyber activities involving Russian state-sponsored hacking groups. For instance, UAC-0184 (also known as Hive0156) has been linked to recent attacks targeting Ukrainian victims with Remcos RAT as of July 2025. Since early 2024, this threat actor has consistently deployed Remcos RAT, with recent attack chains simplifying the delivery process by using weaponized LNK or PowerShell files to retrieve decoy documents and payloads.
Conclusion:
The Operation CargoTalon campaign underscores the persistent and evolving nature of cyber threats targeting critical sectors. The use of sophisticated backdoors like EAGLET highlights the need for robust cybersecurity measures and continuous vigilance to protect sensitive industries from such espionage activities.
